Didier Stevens

Tuesday 29 June 2010

Quickpost: No Escape From PDF

Filed under: PDF,Quickpost,Vulnerabilities — Didier Stevens @ 18:41

Adobe has released a new Adobe Reader version with a fix for my /Launch action PoC PDF.

Before version 9.3.3:

Since version 9.3.3:

Not only is the dialog box fixed, but the /Launch action is also disabled by default.

Quickpost info

Possibly related posts: (automatically generated)


9 Comments »

  1. Time to disclosure details about change pop-up message?

    Comment by Nobody — Tuesday 29 June 2010 @ 22:04

  2. [...] applications" feature will be disabled by default. Alert dialogues will also no longer display the parameters submitted by the attacker, which could confuse users, instead only displaying the [...]

    Pingback by Adobe Reader and Acrobat updates close 17 critical holes — Wednesday 30 June 2010 @ 12:58

  3. time to come up with some other attacks :)

    Comment by zhane — Wednesday 30 June 2010 @ 14:07

  4. @Nobody Will disclose this at Brucon.org

    Comment by Didier Stevens — Wednesday 30 June 2010 @ 16:52

  5. I know this is a lazy comment but can you confirm that either the /Launch command can not be enabled or that if it can be (through registry setting?), the message box is still mandatory and can not be modified ?

    Comment by Wim — Wednesday 30 June 2010 @ 21:17

  6. Did you see this reference to an easy bypass of the ‘fix’? It appears in comments to ISC’s story on the patch.
    http://blog.bkis.com/en/adobe-fix-still-allows-escape-from-pdf/

    Comment by Paul — Thursday 1 July 2010 @ 1:01

  7. Didier, Please escape form PDF
    http://blog.bkis.com/en/adobe-fix-still-allows-escape-from-pdf/

    Comment by Royal — Thursday 1 July 2010 @ 4:45

  8. [...] has taken Adobe three months to release the patch. On the blog entry, Didier confirms that Adobe has completely fixed the flaw. However the patch turns out to be [...]

    Pingback by Adobe fix still allows “Escape from PDF” | MEDOIX — Thursday 1 July 2010 @ 6:02

  9. [...] Stevens @ 21:20 Adobe has released a new Adobe Reader version that contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like this:  [...]

    Pingback by Quickpost: Preventing the /Launch Action “cmd.exe” Bypass « Didier Stevens — Sunday 4 July 2010 @ 21:20


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.